[SOLVED] PBS firewall control

krikey

Member
Aug 15, 2018
44
4
13
UK
Whilst I know that PBS is meant to be a standalone unit and not necessarily part of a PVE cluster, are there plans to add firewall control to the GUI, or are you expecting a PBS to typically not be web facing or only existing behind a third party firewall device?
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
5,025
821
163
if not behind some other firewall, you basically only need to drop everything besides 8007 (and optionally, leave some management access open for SSH/VPN/...). that is fairly straight-forward with stock ip/nftables, all the complicated interactions between cluster, hosts and guests are not there..

not saying it will never happen, but not high up the list of improvements either ;)
 
  • Like
Reactions: krikey

krikey

Member
Aug 15, 2018
44
4
13
UK
Revisiting this a few months later. Great work on PBS by the way o7.

I've started to set up iptables and I'm sure that it's a mistake I'm making but after setting the default policy to DROP on the INPUT after adding a couple of ALLOW rules for SSH and port 8007, it seems that I can no longer access the web interface.

Heres a copy of my iptables:

Bash:
Chain INPUT (policy DROP)
num  target     prot opt source               destination       
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8007

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination       

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination       

Is there any reason why this would stop access to the web interface on 8007?
 
Last edited:

krikey

Member
Aug 15, 2018
44
4
13
UK
More specifically, I can reach the login screen but the login credentials no longer seem to work unless I change the default policy on INPUT to ACCEPT.
 

krikey

Member
Aug 15, 2018
44
4
13
UK
Ok... I think Ive solved it and this may be useful for other users who have web facing PBS (whether they should be web facing is for another time).
Heres my IPTABLES that allows SSH and 8007 only for my IP address and on the ETH1 device.

Bash:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1       28  3768 ACCEPT     tcp  --  eth1   any     [myipaddress]        anywhere             tcp dpt:ssh
2      481  219K ACCEPT     tcp  --  eth1   any     [myipaddress]       anywhere             tcp dpt:8007
3     762K  125M ACCEPT     all  --  eth2   any     anywhere             anywhere          
4     3070  538K ACCEPT     all  --  lo     any     anywhere             anywhere          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

I've an additional interface called eth2 which is a LAN interface which I didnt want to be affected by the other IPTABLES rules.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!